# # MXToolbox warnings and Kerio Connect
APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

MXToolbox warnings and Kerio Connect

I've removed advertising from most of this site and will eventually clean up the few pages where it remains.

While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.

If you found something useful today, please consider a small donation.

Some material is very old and may be incorrect today

© May 2019 Anthony Lawrence


I've had email from customers saying that MXToolbox says their Kerio Connect mail server is not configured correctly. It reports that they have no PTR record configured (reverse DNS), that the banner is incorrect and that TLS is not enabled. Sounds pretty bad, doesn't it?

And yet when I check these things manually, there is not problem: everything is as it should be. So what's going on here - is MXToolbox wrong or am I?

To find out, I asked MXToolbox to check my own domain. This is the report I got back.

Mxtoolbox reports are incorrect with Kerio Mailserver

Let's take a look at each of those:

SOA Serial Number Format is Invalid

That's my DNS provider (Cloudflare) and it's an absolutely meaningless message. As MXToolbox itself notes:

It has become common to set your serial number with a date format to make it easier to to manage.

Indeed, that's just what Cloudflare does and it's quite silly to report that as a warning.

SOA Expire Value out of recommended range

According to their docs, MxToolBox will issue this warning if your value is less than 2 weeks or more than 4 weeks. They say those are "suggested values". Well, Cloudflare uses a default of one week - which they say is their "suggested value". It's their DNS servers that will be queried more frequently, so why does that concern MXToolbox? It shouldn't.

Reverse DNS does not match SMTP banner

Really? Actually, it does: my banner says "220 mail.aplawrence.com ESMTP ready" and the reverse DNS is mail.aplawrence.com, so that's correct. They get this wrong for the same reason they get the next two wrong.

Does not support TLS

Sure it does:

220 mail.aplawrence.com ESMTP ready
EHLO aplawrence.com
250 HELP

EHLO asks that a server list its capabilities and STARTTLS is listed.

15.6662 seconds - Not good!

But actually, that's deliberate - that's the Spam Repellent setting that we do on purpose. MXToolbox even mentions that possibility:

It is also possible your server is "Tar pitting". Tar pitting is a technique used by some email servers to slow down spammers. The idea is that legitimate senders will wait longer to establish a connection than spammers will.

I suspect this is the source of the TLS and reverse banner also: they spit those commands out too early and got disconnected. To find out, I turned on SMTP debugging momentarily and had them try again. As I suspected, I saw this in the log:

[18/Dec/2014 15:03:57][31880] {smtps} Client closed connection 
before SMTP greeting, connection rejected

That address is MXToolbox.com. The connection was closed because they tried to enter commands before seeing my banner, which they should not do.

So - if you've wondered why MXToolbox spits warnings at you, this is why.

If you found something useful today, please consider a small donation.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> MXToolbox warnings and Kerio Connect


Inexpensive and informative Apple related e-books:

Take Control of Pages

Are Your Bits Flipped?

iOS 8: A Take Control Crash Course

Take Control of iCloud, Fifth Edition

Take Control of High Sierra

More Articles by © Anthony Lawrence

Fri Jan 2 16:28:24 2015: https://www.davegillam.com12597   DaveGillam


In my case, all look proper, even with tarpitting delays. MXToolbox may have corrected the probes.


Fri Jan 2 21:00:21 2015: 12598   TonyLawrence


Odd - they still give me the same "errors".


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Being able to break security doesn’t make you a hacker anymore than being able to hotwire cars makes you an automotive engineer. (Eric Raymond)

Linux posts

Troubleshooting posts

This post tagged:

Kerio Connect


Kerio Info

Kerio Pricing

Kerio RSS Feed


Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode